StealthWatch FlowCollector

Overview

Collect and analyze massive amounts of network data to obtain comprehensive visibility for early threat detection.

The StealthWatch FlowCollector collects and analyzes vast amounts of valuable data from existing network infrastructure to provide a complete, cost-effective picture of everything happening in an enterprise environment. Sophisticated behavioral analytics and advanced security context enable early detection and enhanced protection for a wide range of threats including APTs, insider threats, DDoS and zero-day malware. The FlowCollector uses flow-based anomaly detection to zoom in on any unusual behavior and immediately sends an alarm with actionable intelligence that allows personnel to take quick, decisive steps to mitigate any issues. Operators can use the StealthWatch System’s unique drill-down features to identify and isolate the root cause within seconds, enhancing operational efficiency, decreasing costs and dramatically reducing the time from problem onset to resolution.

StealthWatch FlowCollector screenshot

Leverages Existing Infrastructure for Comprehensive, Cost-Effective Visibility

By drawing upon NetFlow, IPFIX and other types of flow data from existing infrastructure, the FlowCollector provides a cost-effective means of achieving comprehensive, end-to-end visibility across the entire enterprise network.  Vast amounts of data are collected and analyzed from routers, switches, firewalls and other network infrastructure devices to provide a complete picture of network activity.  No additional hardware, sensor technology, inline device or software agent is required.  Essentially, the network is your sensor, detecting and alerting on anomalous behavior 24/7.  Stitched, duplicated, 1:1 flows further streamline network and security monitoring.  In addition to detecting threats in real time, the StealthWatch FlowCollector can store months or even years of data, creating a complete audit trail that can be used to improve forensic investigations and compliance initiatives.  

Detects Lateral Movement Not Seen by Other Technologies

While most security technologies focus on "bad" communications going to and from their network to the outside, the StealthWatch System protects the network from the inside out, also detecting suspicious communications within the network itself.  This monitoring of lateral, east-west traffic is critical for identifying insider threats, as well as tracking the spread of external attacks throughout the network to determine who has been infected.  

Provides Massive Scalability for Large, High-Speed Environments

A FlowCollector exists for any organization to monitor and protect every part of the network that is IP-reachable, regardless of size.  With unmatched scalability, a single FlowCollector can store and analyze data from as many as 4,000 flow sources at up to 240,000 flows per second (fps).  When fully scaled, the StealthWatch System can process data from as many as 50.000 flow sources at up to 6 million fps.  Easy upgrade paths enable an organization to start small and expand the system as capacity needs change over time.  The FlowCollector Virtual Edition (VE) is designed to perform the same function as the appliance editions, but in a VMware environment.  The FlowCollector VE also scales dynamically according to the resources allocated to it.

Features Network Security
Automatic baselining of all IP traffic X X
Automatic anomaly detection in traffic/host behavior X X
Layer 7 anomaly detection* X X
Massive scalability X X
Flexible deployment options, including virtual X X
NAT stitching X X
Peer-to-Peer (P2P) file sharing detection X X
Host and service profiling X X
Index-based prioritization technology X X
OS fingerprinting** X X
Support for application-aware flows such as NBAR2* X X
Support for custom applications X X
Closest interface determination and tracking X X
Deduplication of flows X X
Virtual environment monitoring* X X
Host Group tracking and reporting X X
Router interface tracking and reporting   X
Bandwidth accounting and reporting   X
Packet-level performance metrics*   X
QoS (DSCP) monitoring   X
Interface utilization alarming   X
Unauthorized host access detection* X X
Unauthorized Web server detection X X
Misconfigured firewalls detection* X X
Combined internal and external monitoring X X
Full flow logging   X
Worm detection   X
Botnet detection*   X
DoS/DDoS detection (SYN, ICMP, or UDP flood)   X
Fragmentation attack detection**   X
Network scanning and reconnaissance detection   X
Large file transfer detection   X
Rogue server detection   X
*Limited functionality with sFlow
**Limited functionality with NetFlow

 

Model Flows Per Second Routers Description
StealthWatch FC 1000 Up to 30,000 Up to 500 This StealthWatch FlowCollector appliance provides redundant power, storage, and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks.
StealthWatch FC 2000 Up to 60,000 Up to 1000 The FC 2000 for NetFlow is a powerhouse NetFlow collector, providing full hardware redundancy and enough flow-processing horsepower for extremely large NetFlow or IPFIX environments.
StealthWatch FC 4000 Up to 120,000 Up to 2000 The FC 4000 is massively scalable to process very high volumes of flow data. It also features storage capabilities of up to 4 TB.
StealthWatch FC 5000 Up to 240,000 Up to 4000 The FC 5000 provides a high capacity flow ingestion solution created for enterprise customers needing superior performance capabilities
Note: The maximum number of devices that may be connected to a StealthWatch FlowCollector for NetFlow appliance is dependent on multiple factors including flows per second, physical location of NetFlow-enabled routers and quantity of NetFlow-enabled devices connected.

 

Model Flows Per Second Routers Description
StealthWatch FC 1000 for sFlow Up to 30,000 Up to 500 This StealthWatch FlowCollector appliance provides redundant power, storage, and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks.
StealthWatch FC 2000 for sFlow Up to 60,000 Up to 1000 The FC 2000 for sFlow is a powerhouse sFlow collector, providing full hardware redundancy and enough flow-processing horsepower for extremely large sFlow environments.
StealthWatch FC 4000 for sFlow Up to 120,000 Up to 2000 The FC 4000 for sFlow is massively scalable to process very high volumes of flow data. It also features storage capabilities of up to 4 TB.
StealthWatch FC 5000 for sFlow Up to 240,000 Up to 4000 The FC 5000 provides a high capacity flow ingestion solution created for enterprise customers needing superior performance capabilities.
Note: The maximum number of devices that may be connected to a StealthWatch FlowCollector for sFlow appliance is dependent on multiple factors including samples per second, physical locations of sFlow-enabled devices and quantity of flow-enabled devices connected.

 

  FC 1000* FC 2000* FC 4000* FC 5000*
Description

Provides redundant power, storage and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks   

Delivers full hardware redundancy and enough flow-processing horsepower for extremely large NetFlow, sFlow or IPFIX environments Offers a massively scalable option to process very high volumes of flow data. High capacity flow ingestion solution created for enterprise customers needing superior performance capabilities
Maximum
Flows Per Second
Up to 30,000** fps Up to 60,000** fps Up to 120,000** fps 240,000** fps
Maximum Exporters 500 1,000 2,000 4096
Network Management Port:
1 – 10/100/1000 Copper

Monitoring/Listening Ports:
3
Management Port:
1 – 10/100/1000 Copper

Monitoring/Listening Ports:
3
Management Port:
1 - 10/100/1000 Copper

Monitoring/Listening Ports:
3
1 Management/Monitoring/Listening Port: 10/100/1000
1 Reserved Port: 10/100/1000 (Reserved for future use)
1 Database Node Connection Port: 10G
1 Reserved Port: 10G (Reserved for future use)
Flow Storage 1 TB
(RAID-6 Redundant)
2 TB
(RAID-6 Redundant)
4 TB 
(RAID 6-Redundant) 

6 TB
(RAID-10 Redundant)

Hardware Platform R620 R720

Engine: R620
Database Node: R820

Hardware Generation 12G
Rack Units (Mountable) 1U 1U 2U

1U – Engine
2U -  Database Node

Power Redundant 750W
AC, 50/60 Hz
Auto Ranging
(100V to 240V)
Redundant 750W
AC, 50/60 Hz
Auto Ranging
(100V to 240V)
Redundant 750W AC, 50/60 Hz
Auto Ranging
(100V to 240V ) 

R820 - Dual, Hot-plug, Non-Redundant Power Supply (2+0), 1100W
R620 - Dual, Hot-plug, Redundant Power Supply (1+1), 750W

Heat Dissipation 2,891 BTU per hour maximum 2,891 BTU per hour maximum 2,891 BTU per hour maximum

R620 - 2,891 BTU per hour maximum
R820 – 4,100 BTU per hour maximum

Dimensions

Height:
1.68 in. (4.3 cm)

Width:
17.08 in. (43.4 cm)

Depth:
27.25 in. (69.2 cm)

Height:
1.68 in. (4.3 cm)

Width:
17.08 in. (43.4 cm)

Depth:
27.25 in. (69.2 cm)

Height: 
3.4 in. (8.7 cm)

Width: 
17.5 in. (44.4 cm)

Depth: 
29.2 in. (74.1 cm)

R620-
Height: 1.68 in. (4.3 cm)
Width: 17.08 in. (43.4 cm)
Depth: 27.25 in. (69.2 cm)

R820-
Height:  3.4 in. (8.7 cm)
Width: 17.5 in. (44.4 cm)
Depth:  29.2 in. (74.1 cm)

Weight 41 lb (18.6 kg) 41 lb (18.6 kg) 64.3 lb (29.2 kg)

R620: 64 lb
R820: 85 lb

Rails Sliding Ready Rails with Cable Management Arm
Regulatory
  • FCC (U.S. only) Class A
  • DOC & ICES (Canada) Class A
  • CE Mark (EN55022 Class A, EN55024, EN61000-3-2, EN 61000-3-3, EN60950)
  • VCCI Class A
  • UL 1950
  • CSA 950

Please call for a complete list.

* Specs for StealthWatch v6.6

**The maximum fps can change depending on varying network conditions. Please contact a Lancope representative for details.

 

The StealthWatch Virtual FlowCollector mirrors the performance of the physical appliance and now supports both VMWare and KVM virtual environments. Specification are applicable to the Virtual FlowCollector 1000, 2000 and 4000. For the FlowCollector VE to operate effectively, be sure to allocate resources so that they are reserved for the FlowCollector VE and not shared with any other virtual machine.